This invention relates to a subscriber line accommodation device having a DHCP server and a packet filtering method using the device with such a circuit configuration and, more specifically, relates to a subscriber line accommodation device and a packet filtering method each having a function of preventing illegal access.
A subscriber line accommodation device is used for allowing a plurality of user terminals to access a communication network such as the Internet via transmission lines such as telephone lines, coaxial cables, or optical cables. If fixed IP (Internet Protocol) addresses are allocated to the plurality of user terminals in such a subscriber line accommodation device, the following problem arises. Specifically, if a third party succeeds in guessing an IP address allocated to a certain user terminal, the third party can pretend to be another person possessing such a certain user terminal.
A DHCP (Dynamic Host Configuration Protocol) server is a server having a function of temporarily allocating an IP address prepared in advance in response to a request for access to a communication network from a user terminal as a communication terminal. When such a DHCP server is employed, since IP addresses are not fixed on the user terminal side, it becomes easier to prevent third parties from assuming IP addresses. There is also an advantage that when a user terminal such as a computer or an Internet television temporarily accesses the Internet, a connection operation on a user side can be simplified by using the DHCP server. In view of such advantages, DHCP servers are often used on the subscriber line accommodation device side. A bridge has a function of sorting packets based on MAC (Media Access Control) addresses and therefore serves to prevent entry of those packets having nothing to do with a subscriber line accommodation device from a network.
On the other hand, user terminals such as computers and communication cards are respectively assigned MAC addresses as their unique identification data. In response to accesses from respective user terminals, a subscriber line accommodation device using a DHCP server associates MAC addresses of those terminals with IP addresses assigned from the DHCP server and stores correlations there between.
In view of this, there has been proposed a technique where MAC addresses of all user terminals connected to lines accommodated in a subscriber line accommodation device are registered and, when a communication terminal different from any of the registered MAC addresses tries to access a network, this access is rejected to thereby improve the network security (e.g. see JP-A-2002-204246).
According to this proposal, when a user terminal other than user terminals subordinate to the subscriber line accommodation device accesses the subscriber line accommodation device to request acquisition of an IP address, the DHCP server checks whether or not an MAC address thereof is any one of the MAC addresses registered in the subscriber line accommodation device, before allocating the IP address thereto. Since an MAC address is data formed by a 6-octet (48-bit) bit string, guessing it is much more difficult than guessing an IP address. Consequently, illegal accesses by third parties can be prevented more effectively.
In this proposal, however, a third party who has illegally obtained a user terminal such as a notebook personal computer or a communication card subordinate to the subscriber line accommodation device can make the DHCP server allocate an IP address by connecting the obtained user terminal to an access line accommodated in the subscriber line accommodation device. For example, in a CATV (Cable Television) network, a CATV modem is connected to user terminals of respective subscribers' homes via coaxial cables. In such a CATV network, when an illegally obtained user terminal of another person is connected to the coaxial cable on the midway, illegal access is enabled by making the DHCP server allocate an IP address. This also applies to a case where a third party learns an MAC address by a method such as borrowing a user terminal of another person and illegally uses it.